Auth0 Logs

Panther supports receiving Auth0 logs directly via webhook

Overview

Panther ingests Auth0 tenant logs by configuring Auth0's log streaming service to post events to a Panther HTTP source.

How to onboard Auth0 logs to Panther

Step 1: Create a new Auth0 source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Auth0,” then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
- During setup, on the security configuration page, you will be required to use bearer authentication; this is the only method of authentication Auth0 supports. You can generate a token value by clicking the circular arrows, or supply your own.
- Payloads sent to this source are subject to the payload requirements for all HTTP sources.
- Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Create a new Log Stream in Auth0

Log in to your Auth0 tenant.
From the dashboard, navigate to Monitoring > Streams.
Click Create Stream.
Select Custom Webhook.
Give your Event Stream a descriptive name, e.g., Panther Log Stream.
In the Payload URL field, paste the URL for the Auth0 HTTP source in Panther you generated in the previous step of this process.
In the Authorization Token field, enter the bearer token you used when setting up the Auth0 source in Panther, in the previous step of this process.
- Enter this value in the form Bearer <token value>.
Click Save.

Panther-managed detections

See Panther-managed rules for Auth0 in the panther-analysis GitHub repository.

Supported log types

Auth0.Events

Auth0.Events are event logs from the Auth0 log stream. For more information, see Auth0's documentation on tenant log events.

```yaml
schema: Auth0.Events
description: Event logs from Auth0 Log Stream
referenceURL: https://auth0.com/docs/deploy-monitor/logs
fields:
  - name: log_id
    required: true
    description: The ID of the log.
    type: string
  - name: asdfg
    type: array
    validate:
      allow: ['authentication']
    element:
      type: string
  - name: data
    required: true
    description: The data object containing information about the log.
    type: object
    fields:
      - name: date
        description: Date/Time when the event occurred.
        type: timestamp
        isEventTime: true
        timeFormats:
          - rfc3339
      - name: type
        description: Type of event.
        type: string
      - name: description
        description: Description of this event.
        type: string
      - name: connection
        description: Name of the connection the event relates to.
        type: string
      - name: connection_id
        description: ID of the connection the event relates to.
        type: string
      - name: client_id
        description: ID of the client (application).
        type: json
      - name: client_name
        description: Name of the client (application).
        type: string
      - name: ip
        description: IP address of the log event source.
        indicators:
          - ip
        type: string
      - name: client_ip
        type: string
        description: IP address of the client which caused the event.
        indicators:
          - ip
      - name: hostname
        description: Hostname the event applies to.
        type: string
      - name: user_id
        description: ID of the user involved in the event.
        type: string
        indicators:
          - username
      - name: user_name
        description: Name of the user involved in the event.
        type: json
        indicators:
          - username
      - name: audience
        description: API audience the event applies to.
        type: string
      - name: scope
        description: Scope permissions applied to the event.
        type: json
      - name: strategy
        description: Name of the strategy involved in the event.
        type: string
      - name: strategy_type
        description: Type of strategy involved in the event.
        type: string
      - name: details
        description: Additional useful details about this event (structure is dependent upon event type).
        type: json
      - name: log_id
        description: Unique ID of the event.
        type: string
      - name: is_mobile
        description: Whether the client was a mobile device (true) or desktop/laptop/server (false).
        type: boolean
      - name: user_agent
        description: User agent string from the client device that caused the event.
        type: string
      - name: location_info
        description: Information about the location that triggered this event based on the IP.
        type: object
        fields:
          - name: country_code
            description: Two-letter Alpha-2 ISO 3166-1 country code.
            type: string
          - name: country_code3
            description: Three-letter Alpha-3 ISO 3166-1 country code.
            type: string
          - name: country_name
            description: Full country name in English.
            type: string
          - name: city_name
            description: Full city name in English.
            type: string
          - name: latitude
            description: Global latitude position.
            type: float
          - name: longitude
            description: Global longitude position.
            type: float
          - name: time_zone
            description: Time zone name as found in the tz database.
            type: string
          - name: continent_code
            description: Two-letter continent code.
            type: string
```

PreviousAuditd Logs (Beta)NextAWS Logs

Last updated 7 months ago

How to onboard Auth0 logs to Panther

Step 1: Create a new Auth0 source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

Click Create New.

Search for “Auth0,” then click its tile.

In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.

Click Start Setup.

Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.

During setup, on the security configuration page, you will be required to use bearer authentication; this is the only method of authentication Auth0 supports. You can generate a token value by clicking the circular arrows, or supply your own.
Payloads sent to this source are subject to the payload requirements for all HTTP sources.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Create a new Log Stream in Auth0

From the dashboard, navigate to Monitoring > Streams.

Click Create Stream.

Select Custom Webhook.

Give your Event Stream a descriptive name, e.g., Panther Log Stream.

In the Payload URL field, paste the URL for the Auth0 HTTP source in Panther you generated in the previous step of this process.

In the Authorization Token field, enter the bearer token you used when setting up the Auth0 source in Panther, in the previous step of this process.

Enter this value in the form Bearer <token value>.

Click Save.

Supported log types

Auth0.Events

Auth0.Events are event logs from the Auth0 log stream. For more information, see Auth0's documentation on tenant log events.

```yaml
schema: Auth0.Events
description: Event logs from Auth0 Log Stream
referenceURL: https://auth0.com/docs/deploy-monitor/logs
fields:
  - name: log_id
    required: true
    description: The ID of the log.
    type: string
  - name: asdfg
    type: array
    validate:
      allow: ['authentication']
    element:
      type: string
  - name: data
    required: true
    description: The data object containing information about the log.
    type: object
    fields:
      - name: date
        description: Date/Time when the event occurred.
        type: timestamp
        isEventTime: true
        timeFormats:
          - rfc3339
      - name: type
        description: Type of event.
        type: string
      - name: description
        description: Description of this event.
        type: string
      - name: connection
        description: Name of the connection the event relates to.
        type: string
      - name: connection_id
        description: ID of the connection the event relates to.
        type: string
      - name: client_id
        description: ID of the client (application).
        type: json
      - name: client_name
        description: Name of the client (application).
        type: string
      - name: ip
        description: IP address of the log event source.
        indicators:
          - ip
        type: string
      - name: client_ip
        type: string
        description: IP address of the client which caused the event.
        indicators:
          - ip
      - name: hostname
        description: Hostname the event applies to.
        type: string
      - name: user_id
        description: ID of the user involved in the event.
        type: string
        indicators:
          - username
      - name: user_name
        description: Name of the user involved in the event.
        type: json
        indicators:
          - username
      - name: audience
        description: API audience the event applies to.
        type: string
      - name: scope
        description: Scope permissions applied to the event.
        type: json
      - name: strategy
        description: Name of the strategy involved in the event.
        type: string
      - name: strategy_type
        description: Type of strategy involved in the event.
        type: string
      - name: details
        description: Additional useful details about this event (structure is dependent upon event type).
        type: json
      - name: log_id
        description: Unique ID of the event.
        type: string
      - name: is_mobile
        description: Whether the client was a mobile device (true) or desktop/laptop/server (false).
        type: boolean
      - name: user_agent
        description: User agent string from the client device that caused the event.
        type: string
      - name: location_info
        description: Information about the location that triggered this event based on the IP.
        type: object
        fields:
          - name: country_code
            description: Two-letter Alpha-2 ISO 3166-1 country code.
            type: string
          - name: country_code3
            description: Three-letter Alpha-3 ISO 3166-1 country code.
            type: string
          - name: country_name
            description: Full country name in English.
            type: string
          - name: city_name
            description: Full city name in English.
            type: string
          - name: latitude
            description: Global latitude position.
            type: float
          - name: longitude
            description: Global longitude position.
            type: float
          - name: time_zone
            description: Time zone name as found in the tz database.
            type: string
          - name: continent_code
            description: Two-letter continent code.
            type: string
```